Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

IP Helper address overrides firewall ?

SOLVED
Go to solution
Stephan G
Frequent Advisor

IP Helper address overrides firewall ?

Hello,

i came across a strange problem (again ;) ). I've put my dhcp server into my VLAN with ip helper address.

On the firewall all requests to this server are blocked (except dhcp on port 67). I can get an ip address and everything works fine.

BUT i can also access shares on this server ?!? On all the other servers i can't (and thats the way i like it ;) ). It's the guest_VLAN and the client should only access the internet.

Can anyone tell me if i'm right and if yes .. what can i do about it ?

Greets
Stephan
15 REPLIES
Tijl van der Steeg
Valued Contributor

Re: IP Helper address overrides firewall ?

It's true that IP helper enables all broadcasts.
What about denying SMB on the firewall? Seems like not everything is blocked.
Interesting case though.

As a workaround you could consider denying SMB access on the windows firewall from the guest VLAN/subnet.
Stephan G
Frequent Advisor

Re: IP Helper address overrides firewall ?

That would be a workaround. But at the moment i'm not sure if i can cover all the services. The server is also a DC and DNS server. So i have many ports to configure. I think i will do that when nobody tries to use this server.

But can someone prove this ? I mean port 445 is blocked and i can see that in my live log. So i don't understand why the access is possible.

Greets
Stephan
Tijl van der Steeg
Valued Contributor

Re: IP Helper address overrides firewall ?

Because of the netbios forwardind i'd say. IP helper forwards all broadcast as far as i'm aware.
You can consider disabling netbios on the adapter of the server because it's legacy anyway. All servers should be DNS enabled.
Pieter 't Hart
Honored Contributor

Re: IP Helper address overrides firewall ?

"IP helper forwards all broadcast"
is not completely true....
IP-Helper makes the recieving router on the vlan transform the DHCP-requests from broadcasts to unicasts to the DHCP-server. With source addres comming from the router and not the subnet where the dhcp-request came from!

How is this router connected, and how is the firewall connected?
If the router (routing switch) has an interface in the client vlan and the DHCP-server vlan, this traffic will not pass the firewall but goes directly to the dhcp server
Also check your firewall filters, the requests comes from the routers ip-address.

please specify you network config (diagram) in more detail.
Tijl van der Steeg
Valued Contributor

Re: IP Helper address overrides firewall ?

OK that's clarified :)
Although I'm sure disabling netbios fixes this, I'm curious what the root cause is
Stephan G
Frequent Advisor

Re: IP Helper address overrides firewall ?

Hello,

i*ve made some visio drawing.

The Firewall has a port tagged with vlan 99 and no vlan 1.

The DHCP Server has a connection to an untagged VLAN1 port. With an 172.20.20.12 Ip address.

The unauthorized clients gets an 192.168.99.10-150 ip address from this server.

Authorized get 172.20.20.50-254.

I hope this helps in further analysis.

The switches doesn't have "ip routing" enabled. This should be the task of the firewall.

Pieter 't Hart
Honored Contributor

Re: IP Helper address overrides firewall ?

>>> The Firewall has a port tagged with vlan 99 and no vlan 1.
<<<
I think you mean
The Firewall has only one port connected to the switch.
- tagged with vlan 99;
- untagged in vlan 1.
is this correct?
On the firewall you must have created a "subinterface" for vlan99 to process packets for this vlan.

The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router!

Here the firewall must connect both networks at least for dhcp, so this must act as the router!
Here you must configure the dhcp-forwarding.
HowTo depends on the model.

The unauth client-port must be untagged in vlan99.
The authorized client-port must be untagged in vlan1.

The dhcp-server must have two dhcp-scopes, one for each subnet.
Stephan G
Frequent Advisor

Re: IP Helper address overrides firewall ?

The clients get their ip address right now without problems.

For the client port: I make the decision auth/unauth with an RADIUS Server. So the port is dynamically "configured"

I don't understand what you mean with:
The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router!

Because it's working and when i disable the DHCP Rule on my firewall i also can see the blocked requests.

And you are right. My firewall is my router. It has an extra interface directly connected to the switch. And i thought without "ip routing" on the switch enabled every packet will pass the firewall.
Stephan G
Frequent Advisor

Re: IP Helper address overrides firewall ?

I mean extra VLAN connection and another one for the DEFAULT_VLAN
Pieter 't Hart
Honored Contributor
Solution

Re: IP Helper address overrides firewall ?

Hi Stephan,
>>>
I don't understand what you mean with:
The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router! <<<

- in your original post you mention having configured an ip-helper.
- >>> The switches doesn't have "ip routing" enabled. This should be the task of the firewall <<<
- In the diagram you supplied, the text "ip-helper" stands next to one of the switches.
So I assumed you configured this at the switch.
please report if this assumption is wrong.

If the IP-helper is configured at the switch and routing is not enabled, it will do nothing.
The ip-helper function will be performed by the firewall as this also does the routing.
Pieter 't Hart
Honored Contributor

Re: IP Helper address overrides firewall ?

>>> And i thought without "ip routing" on the switch enabled every packet will pass the firewall.<<<

This should work as you intended.
if the switches don't route then they should only forward packets on layer-2 within the vlan.
And the firewall is the only device that should connect the vlan's.
Stephan G
Frequent Advisor

Re: IP Helper address overrides firewall ?

Hello Pieter,

i configured it on the vlan because i thought that the dhcp packets need to know where the dhcp servers are.

But you are right. I just deleted the ip helper entry in the vlan. And i also get an ip address in the right subnet.

And now :) the the firewall kicks in and blocks the requests to my dhcp servers.

Thanks a lot for the solution. Although it's still a security issue. For someone who don't know to configure it right ;)

Greets
Stephan
Stephan G
Frequent Advisor

Re: IP Helper address overrides firewall ?

And another positive feature: I don't need an ip address for the vlan on each switch anymore.
Tijl van der Steeg
Valued Contributor

Re: IP Helper address overrides firewall ?

OK I got it wrong, and did not ask the right questions. Sorry about that.
Good you got it sorted :D
Stephan G
Frequent Advisor

Re: IP Helper address overrides firewall ?

No problem :)

And another thing i discovered now. I need to setup at least one switch with an ip address and ip helper.